Marbled Dust Exploits Zero-Day in Output Messenger for Cyber Espionage Targeting Kurdish Military A Türkiye-linked threat actor, tracked as Marbled Dust (also known as Cosmic Wolf, Sea Turtle, and UNC1326), has been exploiting a zero-day vulnerability (CVE-2025-27920) in Output Messenger, an Indian enterprise communication platform, since April 2024. The campaign, uncovered by Microsoft Threat Intelligence, targeted Kurdish military entities in Iraq, aligning with the group’s historical focus on regional espionage. The flaw—a directory traversal vulnerability in Output Messenger version 2.0.62—allowed attackers to remotely execute arbitrary files. The developer, Srimax, patched the issue in December 2024 with version 2.0.63, though its advisory did not acknowledge in-the-wild exploitation. Microsoft assessed that Marbled Dust conducted reconnaissance to identify Output Messenger users before leveraging the zero-day. The attack chain began with authenticated access to the Output Messenger Server Manager, likely obtained via DNS hijacking or typosquatted domains. Once inside, the threat actor exploited CVE-2025-27920 to deploy malicious payloads, including: - OM.vbs and OMServerService.vbs (dropped in the server startup folder) - OMServerService.exe (a Golang backdoor placed in the server’s Users/public/videos directory) The backdoor communicated with a hard-coded domain (api.wordinfos[.]com) for data exfiltration. On the client side, the installer executed both the legitimate OutputMessenger.exe and a second Golang backdoor (OMClientService.exe), which connected to a Marbled Dust command-and-control (C2) server. The backdoor performed a connectivity check before sending victim hostname data, with responses executed via Windows command prompt (cmd /c). Microsoft also identified a second reflected XSS vulnerability (CVE-2025-27921) in the same version but found no evidence of its exploitation. The attack marks a shift in Marbled Dust’s sophistication, suggesting escalated targeting priorities or operational urgency while maintaining its established espionage focus. The group, active since at least 2017, has previously targeted telecoms, ISPs, IT service providers, and Kurdish entities in the Middle East, North Africa, and Europe.